Data Security Law Bloghttps://www.pbwt.com/data-security-law-blog/
DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.
Fri, 18 Jan 2019 21:47:54 +0000en-UShourly1https://wordpress.org/?v=4.9.7DFS Superintendent Vullo Reflects on NYS Cyber Regulation: Two Years Laterhttps://www.pbwt.com/data-security-law-blog/dfs-superintendent-vullo-reflects-on-nys-cyber-regulation-two-years-later/
https://www.pbwt.com/data-security-law-blog/dfs-superintendent-vullo-reflects-on-nys-cyber-regulation-two-years-later/#respondTue, 15 Jan 2019 00:00:00 +0000https://www.pbwt.com/?post_type=blog-post&p=30420With full implementation of New York’s groundbreaking cybersecurity regulation only six weeks away, the state’s top banking regulator took the opportunity to praise the many financial institutions that have adopted systems to better protect consumers from cybercrime.

In a four-page letter posted on the DFS website, Superintendent Maria T. Vullo said that, during the prior year, her agency and the financial services industry had worked “collectively [and] enhanced the financial services industry’s cybersecurity protections for New York, providing national standards and leadership on this critically important issue.” Vullo announced late last year that she would be stepping down on February 1, 2019, after serving three years in her post.

“I am especially proud to have led DFS in cybersecurity, having promulgated a final regulation in March 2017 that is now the national standard for the protection of our nation’s financial markets,” she said in a written statement.

The New York cybersecurity regulation has been phased in over the past two years. The regulation’s final provision becomes effective on March 1, 2019, at which time banks and insurers must have policies and procedures in place to deal with the security of their networks and confidential information accessible by third-party service providers.

New York Governor Andrew M. Cuomo has nominated Linda Lacewell, currently his Chief of Staff and Counselor, as the new banking superintendent. Lacewell is a former federal prosecutor, having spent nine years as an assistant U.S. Attorney in the Eastern District of New York, including two years on the Enron Task Force.

A few key takeaways from Vullo’s letter:

Breach Notices. DFS has thus far received approximately 1,000 notices of cybersecurity events from regulated institutions. The “majority of successful breaches involve common software technology used throughout business operations and have involved phishing attacks, social engineering threats, and issues relating to password composition and security and email security.”

Phishing Scams. “A significant number of events reported to DFS involved breaches that stemmed from employees providing credentials in response to attractive emails that trick a user to provide confidential information … from a source that the employee will trust, perhaps even appear to be an email from a customer or client of that employee and a subject that will peak their interest.”

Common Cyberattack Vectors. Vullo also stressed that recent cyberattacks underscored the importance of full implementation with the following provisions:

Multi-factor authentication (Section 500.12) (“Breaches occur more easily when the company does not have multi-factor authentication in place, or where the multi-factor authentication protection malfunctioned”);

Encryption (Section 500.15) (“Strong access control and encryption for data in transit and at rest mitigate the loss and are critically important.”;

Training (Section 500.14) (“Ongoing training is essential. All staff needs basic cybersecurity training to avoid events like successful phishing scams, and ongoing reminders and training to ensure protections from errors that could have significant consequences.”)

Annual compliance certificate. Due by February 15th of each year, the annual compliance certificate “is a critical governance pillar for the cybersecurity program of all DFS regulated entities.”

And Vullo explained DFS takes compliance seriously; DFS examiners have been including cybersecurity in all of their regular examinations. As leadership changes, we will—as usual—monitor DFS’s enforcement, interpretation, and approach to the regulation.

]]>PayPal Shareholders’ Data Breach Stock-Drop Suit Dismissedhttps://www.pbwt.com/data-security-law-blog/paypal-shareholders-data-breach-stock-drop-suit-dismissed/
https://www.pbwt.com/data-security-law-blog/paypal-shareholders-data-breach-stock-drop-suit-dismissed/#respondMon, 14 Jan 2019 00:00:00 +0000https://www.pbwt.com/?post_type=blog-post&p=30408Among other things, 2018 was the year of the shareholder data breach stock-drop lawsuit. As we’ve previouslyreported, it was the year that shareholders began routinely suing companies after an announcement of a data breach, seeking damages for a hit to the company’s stock price.

Now, in one of the first substantive decisions issued by a court in a breach-related stock drop suit, a federal judge in California dismissed the case without prejudice and has signaled that shareholders face an uphill slog in making it past the motion to dismiss stage. Since this ruling is early in the game, it’s too early to tell whether fraud claims based on a public company’s data-breach related disclosures will – or will not – over time suffice to support a fraud claim under the federal securities laws.

In late 2017, PayPal disclosed a data security vulnerability it discovered with respect to a company it recently acquired, TIO Networks, a Canadian cloud-based bill payment processor. PayPal issued a press release on November 10, 2017 disclosing that it had suspended TIO’s operations as a result of its “discovery of security vulnerabilities on the TIO platform and issues with TIO’s data security program that do not adhere to PayPal’s information security standards.” PayPal further explained that an internal investigation was ongoing.

Three weeks later, on December 1, 2017, PayPal made a second public disclosure stating that, as a result of the investigation, it found “a potential compromise of personally identifiable information for approximately 1.6 million customers.” In their complaint, plaintiffs allege that PayPal’s share price dropped by $4.33, or 5.75%, based on the disclosure.

Within the week, shareholders filed a securities fraud lawsuit in a California federal court. The shareholders claimed that the November 10th disclosure was materially false or misleading because it “disclosed only a security vulnerability, rather than an actual security breach, which PayPal and TIO did not acknowledge had been detected.” Under the shareholder’s theory, the nondisclosure of the actual breach on November 10th meant that PayPal’s stock was artificially inflated between the first and the second announcements.

The law requires pleading falsity as an essential element for a securities fraud claim, and PayPal, in asking the court to dismiss the case, argued that the shareholders had not satisfied the pleading standard. As PayPal’s lawyers saw it, the November 10th announcement was accurate when made. The company had indeed discovered a data security vulnerability and had truthfully alerted users (and the public) that their information was not safe. That PayPal did not disclose the actual breach until three weeks later – after its internal review – did not mean that the first announcement of the vulnerability was false or misleading.

Although the court found that the November 10th announcement “could plausibly have created an impression that only a potential vulnerability and not an actual breach had been discovered at that time, and certainly not one which threatened the privacy of 1.6 million users,” the judge noted that didn’t mean that the company had yet acquired detailed knowledge of the breach at the time of the announcement.

“[T]o succeed based on Plaintiffs’ theory of loss causation, they must plead (in a manner that meets the heightened pleading requirements for scienter) that Defendants knew not only of an actual breach, but that the privacy of 1.6 million customers had been potentially compromised.” In support of this argument, plaintiffs relied on the testimony of three confidential witnesses, which the judge summarily rejected as insufficient and “failed to satisfy the scienter of the falsity upon which their alleged loss is predicated.”

Bottom line: Allegations that PayPal was aware of a breach – in and of itself – didn’t mean the company had determined that the intruder had accessed or compromised user records.

Although PayPal won dismissal, the ruling underscores the dilemma faced by public companies when victimized by a cyberattack: Going public with news of a cyberattack isn’t always an easy call. Doing so too quickly can risk tipping off the bad guys and imperil investigations. Law enforcement often encourages, or even demands, that the incident not be disclosed. At the same time, companies know they have a duty to their investors to provide prompt information about any real risks to their businesses.

Companies facing the unfortunate news that their systems may have been breached need time to investigate and learn the facts. It may be sensible to require immediate disclosure of an issue to some extent, but how much detail can companies reasonably be expected to disclose at the first possible instance in these fast-moving scenarios? The investigation of a data security incident doesn’t happen overnight. It’s often a lengthy process with dribs and drabs of information coming out slowly.

If a company is forced to provide the details of a data security incident at the soonest possible instance, there is a risk that companies will provide inaccurate or incomplete information and ultimately confuse users, investors, and the public. But if a company discloses the issue promptly while waiting to provide details until they come into focus, then it risks being accused of misleading shareholders by omitting the details from the earlier disclosures.

Earlier this year, the SEC has issued guidance that calls upon companies to transparently disclose material data security incidents in a “timely fashion.” However, the instruction is tempered by the SEC’s recognition that “some material facts may not be available at the time of the initial disclosure.”

Motions to dismiss are pending in a number of other data breach stock-drop lawsuits, including cases against AMD, Equifax, and Intel. Decisions should issue soon. We’ll be watching to see how courts grapple with these issues.

Yesterday, a Superior Court judge in Santa Clara, California approved what is believed to be the first monetary award to a company in a data breach-related derivative lawsuit. Until now, such breach-related derivative cases have settled through a combination of governance changes and modest awards of attorney’s fees.

But the former officers and directors of Yahoo! Inc. agreed to pay $29 million to settle charges that they breached their fiduciary duties in the handling of customer data during a series of cyberattacks from 2013 until 2016. Three billion Yahoo user accounts were compromised in the attacks, making it one of the largest reported hacks in U.S. history. The settlement puts an end to three derivative lawsuits filed in Delaware and California against the company’s former leadership team and board including ex-CEO Marissa Mayer.

Under the settlement, the lawyers will walk away with just under $11 million in fees and expenses, with the remaining $18 million paid to Yahoo! (now called Albata, Inc.). The settlement will be funded by insurance.

A derivative lawsuit gives the owners of a company – the shareholders – a way to hold corporate directors and management accountable for their actions. To do so, shareholders file a claim on the company’s behalf, with any money recovered going to the corporation, not the individual shareholders, because the violation only harmed the organization.

The backstory of the Yahoo D&O settlement might never become public. In court filings, the parties have called the settlement fair, in the best interest of all parties and pointed to a laundry list of data security improvements have been put in place at the company. But insurers don’t pay millions of dollars to settle a derivative case – especially when there’s a low likelihood of success that the shareholders would prevail in the case – without some concern that their exposure would be greater than the settlement.

We’ll take a closer look at the Yahoo settlement and the factors that might have driven the parties toward settlement in a future blog post.

Businesses covered by the recently enacted California Consumer Privacy Act of 2018 (CCPA) are scrambling to comply with the statute, which becomes “operative” on January 1, 2020, unless that date is changed by the California legislature. As we have noted in earlierblogposts, the CCPA is the most sweeping privacy law in the U.S. and has significant implications for any business that falls within its coverage.

To assist organizations preparing for its implementation, we are taking a closer look at key aspects of the law. In our first installment, we addressed the question of when covered businesses should aim to be compliant with the CCPA. This blog post addresses two defined terms essential for determining who is covered by the CCPA.

The CCPA defines several terms used throughout the statute, including “consumer” (used 318 times in the statute, including in the title) and “business” (210 times). Understanding these terms is essential for making threshold determinations, such as who has rights under the CCPA and which businesses have requirements under the CCPA. As we will cover in more depth below, the statute’s current language of “consumer” is limited to California residents but “business” may cover many out-of-state companies that “do business” in California.

Consumers

The CCPA defines “consumer” as “any natural person who is a California resident.” Cal Civ. Code § 1798.140(g). The term “resident” covers any person physically present in California for a non-temporary purpose, and anyone with a domicile in California who is temporarily out-of-state. Id.; Cal Code Regs. tit. 18 § 17014.

As we previously noted, questions have been raised about this definition, such as whether it applies to the employees of covered businesses. The “consumer” definition is also limited to residents of California. However, as we will see in the next section, the CCPA’s definition of “business” does not contain similar geographical limits, so businesses not physically located within the State of California may come within the coverage of the law.

Businesses

The CCPA’s definition of “business” applies to any for-profit entity that (1) collects consumers’ personal information or has such information collected on its behalf; (2) determines the purposes and means of processing the personal information; (3) “does business” in California; and (4) satisfies one of the following three criteria:

“Has annual gross revenues in excess of” $25 million;

“[A]nnually buys, receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices” (meaning a physical object capable of connecting to the internet or another device, Cal Civ. Code § 1798.140(j)); or

“Derives 50% or more of its annual revenue from selling consumers’ personal information.”

Cal Civ. Code § 1798.140(c). Further, the CCPA generally applies to any entity that controls or is controlled by an entity that meets the above definition and shares common branding, meaning name, servicemark, or trademark. It defines control as owning or having the power to vote more than 50% of a business’s “outstanding shares of any class of a voting security,” control over the election of the majority of a business’s directors, or “the power to exercise a controlling influence over the management of a company.” Id.

While the CCPA does not currently define “does business,” the statute provides an outer limit on its own reach, excluding from the obligations imposed in the statute the collection or sale of consumer personal information “if every aspect of that commercial conduct takes place wholly outside of California.” Id. § 1798.145(6). The CCPA explains that this means the information was collected while the consumer was outside California and, for sales of consumer information, no part of the sale occurred in California. Id. Whether courts (or the regulations that are forthcoming from the state’s Attorney General) will interpret the “does business” language to encompass all activity up to this outer limit is an open question.

In a related development, Bloomberg Law reported last night that California Attorney General Xavier Becerra is gearing up to draft regulations implementing the CCPA and has secured $700,000 in funding and five new staffers to work on the regulations. That report noted that his office will be holding public forums (which we reported on last week), and quoted Becerra saying “we’re an enforcer, we’re not a regulator … I’m being asked to be a regulator.”

While we are still nearly a year away from the “operative” date of the CCPA, outgoing California Governor Jerry Brown has already signed a first amendment to the CCPA. See SB 1121. One key amendment was a modification to limit the law’s applicability where other privacy protections were already in place, such as under the California Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code § 56 et seq.) or the federal government’s Health Insurance Portability and Accountability Act of 1996 and Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA). SB 1121 exempts certain information from the law’s coverage because it is already heavily regulated.

For instance, “[p]roviders of health care,” as defined under CMIA, and HIPAA-covered entities are exempted to the extent that they maintain “patient information” in the same manner as “[m]edical information,” as defined by the CMIA, or “protected health information” as governed by the United States Department of Health and Human Services’ privacy, security, and breach notification rules issued pursuant to HIPAA. Id. § 1798.145(c)(1)(B). We will take a closer look at these exemptions in a future blog post.

Stay tuned for more in depth coverage of the CCPA.

]]>State Attorney General Starts Rulemaking Process for California Consumer Privacy Acthttps://www.pbwt.com/data-security-law-blog/state-attorney-general-starts-rulemaking-process-for-california-consumer-privacy-act/
https://www.pbwt.com/data-security-law-blog/state-attorney-general-starts-rulemaking-process-for-california-consumer-privacy-act/#respondThu, 03 Jan 2019 00:00:00 +0000https://www.pbwt.com/?post_type=blog-post&p=30326Yesterday, by e-mail and on its website, the California Department of Justice (DOJ) announced that it would hold “six statewide forums to collect feedback” in advance of the rulemaking process for the California Consumer Privacy Act (CCPA). The announcement did not include proposed rules or regulations, which must be adopted by July 1, 2020.

As we’ve previewedinpreviousblog posts, the California Attorney General's office will have its work cut out for it in developing the regulations underlying the CCPA. Since the CCPA has been adopted, there’s been a groundswell of support and criticism of the regulation, ranging from interpretative issues to definitional. For example, taking the definition of “consumers” in the CCPA, issues have been raised as to whether or not it includes a regulated company’s own employees.

And to take a more nefarious example, despite recent amendments to the CCPA, critics have complained that the CCPA – as currently drafted – might allow potential criminals to “opt out” of the use of their data for the investigation of crimes.

In addition, when a consumer exercises his or her rights under the CCPA, businesses may not “discriminate against” that consumer, subject to a few exceptions. For instance, a business cannot deny goods or services to the consumer or charge different prices or rates for goods or services. At the same time, the CCPA says that businesses can charge a different price or rate if that difference is “reasonably related to the value provided to the consumer by the consumer’s data.” Critics complaint that it’s unclear what counts as consumer data “reasonably related to value provided” such that companies can price discriminate against consumers that “exercise” their rights under the CCPA. The California DOJ must resolve these questions, and many others, despite what it says are a lack “of resources” to “carry out this rulemaking – or even its implementation thereafter.”

But in the meantime, the California DOJ will hold the public forums in January and February, across California. And, in advance of the forums, the agency “invites all interested persons and parties to submit comments regarding the CCPA regulations.”

Investment advisers may want to think twice before texting clients any advice in the New Year.

In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.

Advisers Act Rule 204-2—called the “Books and Records Rule”—requires advisers and their personnel to make and maintain records relating to their investment advisory business, which includes keeping “[o]riginals of all written communications received and copies of all written communications sent” relating to (i) recommendations and advice, (ii) the receipt or disbursement of funds, (iii) purchasing or selling a security, or (iv) the performance of a managed account or securities recommendation. The Books and Records Rule contains limited exceptions.

The alert specifically calls out “text/SMS messaging, instant messaging, personal email, and personal or private messaging” as being covered by the rule, as are other communications conducted on the adviser’s network or via third-party applications or platforms or “sent using the adviser’s computers, mobile devices issued by advisory firms or personally owned computers or mobile devices used by the adviser’s personnel” for business purposes.

Social media also received attention in the alert. An advisor who links to a “notice, circular, advertisement, newspaper article, investment letter, bulletin or other communication” on their LinkedIn or other social media platform should heed Advisers Act Rule 204-2(a)(11), which requires an adviser to keep a copy of each commentary they circulate to ten or more persons.

Rather than expecting compliance in the abstract, Advisers Act Rule 206(4)-7—called the “Compliance Rule”—requires advisers to be proactive and “[a]dopt and implement written policies and procedures reasonably designed to prevent violation” of the Advisers Act and its rules. Citing to this requirement, the alert includes the following recommendations to advisers concerning policies and procedures they may want to implement for use of electronic communications:

Prohibit forms of electronic communications that easily allow for messages to be sent anonymously, to be automatically destroyed, or prohibits third-party viewing or back-up.

Require a procedure for moving an electronic message received from a client to another system that is in compliance with its books and records obligations.

Adopt and implement policies concerning the use of personal devices if such devices are used for business purposes.

If the use of social media, personal email, or personal websites for business purposes is permitted, implement policies and procedures for the monitoring, review, and retention of such electronic communications.

Train personnel on the policies and procedures in place on the use of electronic messaging and the disciplinary consequences for violations.

Regularly review social media sites and run Internet searches to identify potential violations of the adviser’s policies and procedures.

Establish a confidential reporting program so employees can report their concerns “about a colleague’s electronic messaging,” including use of social media or impermissible posts.

Require the downloading of security software on company-issued or personally owned devices prior to allow them to be used for business purposes. Such software can (i) require cybersecurity updates, (ii) monitor for prohibited apps, and (iii) “wipe” a lost or stolen device of information.

“OCIE encourages advisers to review their risks, practices, policies, and procedures regarding electronic messaging and to consider any improvements to their compliance programs … [and] to stay abreast of evolving technology and how they are meeting their regulatory requirements,” said the alert.

With the New Year fast approaching, so begins the one-year countdown to the California Consumer Privacy Act, or CCPA, going into effect.

We have covered the CCPA’s enactment, amendments, and relevance to New York businesses. As we have noted, it is the most sweeping data privacy law in the United States, and has stirred substantial industryopposition, as well as confusion. To avoid repeating the mad dash to compliance from before the GDPR took effect last May, companies affected by the CCPA will need to resolve spending a significant amount of time this coming year working out an implementation and compliance program for the new law.

Before digging into the specifics, we wanted to address the most pressing question for many organizations covered under the CCPA: by what date should covered businesses endeavor to be in compliance?

The CCPA becomes “operative” on January 1, 2020. Cal. Civ. Code § 1798.198(a). But the law also requires that the California Attorney General write and adopt regulations supporting it by July 1, 2020, and delays the AG’s exclusive power to bring enforcement actions under the CCPA until after the regulations are adopted. Id. §§ 1798.185(a), (c). Thus, depending on regulatory prerogatives and industry pushback, is it possible that the regulations underlying the CCPA will not be ready when the CCPA goes live on January 1, 2020? Perhaps.

There are, however, several reasons that organizations should start setting the wheels in motion for a January 1, 2020 compliance date, whether or not the AG has adopted regulations by then.

The AG’s July 1, 2020 deadline is the latest the AG may begin enforcing the CCPA. While it has not yet submitted any regulations for public comment, should it adopt regulations during 2019, the AG could—at least in theory—begin bringing enforcement actions as early as January 1, 2020.

Despite language that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law,” id. § 1798.150(c), is there a risk that plaintiffs will use potential violations of this law as a predicate for claims, for example, under California’s Unfair Competition Law? See Cal. Bus & Prof. Code § 17200 (including unlawful business acts or practices under the definition for unfair competition).

More generally, emphasizing and smoothly implementing compliance with new laws like the CCPA can help create a strong and well-informed culture of compliance throughout an organization, which will only serve to benefit all stakeholders.

Over the next few months, stay tuned as we take a deeper dive into the CCPA to explore its significant requirements, hurdles and nuance.

In our final installment of a three-part series, we look at the U.S. Securities and Exchange Commission’s Investigative Report into the epidemic of wire fraud or “business email compromise,” and then, based on its 2018 initiatives, consider the agency's likely priorities for the coming year.

Wire fraud committed by cybercriminals is not a new phenomenon. The FBI and other government agencies have regularly warned against wire fraud scams—called “business email compromises” or BECs—where criminals pose as vendors or company executives and use email to dupe company insiders into wiring money into bank accounts controlled by the perpetrators. And in some instances, the amounts involved are staggering.

In an investigative report, the SEC studied the internal accounting controls of nine public companies affected by wire fraud to determine if federal securities laws may have been violated by failing to have a sufficient system of internal accounting controls in place. The companies were in various sectors including technology, machinery, real estate, energy, finance, and consumer goods. In total, the nine companies investigated by the agency suffered losses totaling nearly $100 million as a result of the frauds. For the most part, the funds were not recoverable.

The SEC found that there were typically two different scenarios under which companies were scammed by cybercriminals. In the first scenario, a person posing as a senior company executive—most typically, a Chief Financial Officer or Chief Executive Officer—used a spoofed email domain and address to arrange for a wire transfer to a foreign bank account controlled by the criminals.

The second scenario involved a fake vendor or supplier to the company. The perpetrator would hack into the email account of a legitimate employee of the vendor, communicate with company personnel about an invoice that was due for payment, and then redirect the wire transfer to an account under the criminal’s control.

Of the nine companies investigated by the SEC, each lost a minimum of $1 million. Two companies lost more than $30 million and one company was taken for more than $45 million.

Although no charges were brought against the companies, the SEC emphasized that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.” And in a clear warning, the SEC urged companies to reassess internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds,” and “calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.”

transactions are executed in accordance with management's general or specific authorization; and

access to assets is permitted only in accordance with management's general or specific authorization.

The report emphasized that BCE scams are not particularly sophisticated and often successful not because companies don’t have policies and procedures in place but because “the responsible personnel did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability.”

Beyond the nine companies investigated by the SEC, the price tag for BCEs is soaring. In a report issued in July 2018, the FBI estimated that fraud involving BCEs has cost companies more than $5 billion since 2013. Between October 2013 and May 2018, the FBI has tracked more than 78,000 instances of global email fraud. The tab for these losses exceeded $12 billion.

Additionally, the FBI reports that Asian banks in China and Hong Kong remain the main destinations for fraudulent fund transfers but that financial institutions in the United Kingdom, Mexico and Turkey have been identified recently as “prominent destinations.”

consider adding an email banner stating when an email comes from outside your organization so they are easily noticed;

conduct end-user education and training on the BEC threat and how to identify a spear phishing email;

ensure that company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information;

contact requestors by phone before complying with email requests for payments or personnel records; and

consider requiring two parties sign off on payment transfers.

No doubt, the SEC’s initiatives in 2018 foreshadow a continued focus on cybersecurity. While predictions are always uncertain, there are five areas the Commission has made clear are regulatory priorities:

Cybersecurity Risk Disclosures. Since issuing its interpretative guidance earlier in 2018, the agency has been focused on the adequacy of public company cyber risk disclosure. While not scientific by any means, there appears to be an uptick in comment letters by the agency addressing specific cyber disclosure issues. This enhanced focus on cyber risk disclosure—albeit a balance between saying too much or too little about an organization’s cyber risk and defenses—should continue into 2019.

Timely Disclosure of Cybersecurity Incidents. With the Yahoo enforcement action as a baseline, the SEC is sure to be scrutinizing the timeliness of public company disclosures when victimized by a cyber-attack or other material data security incident. While these disclosures in many instances come down to hard-fought judgment calls about materiality, the agency has made clear that public companies have a duty to promptly inform the markets of material cybersecurity incidents.

Insider Trading Controls. The Commission’s 2018 interpretative guidance and its enforcement actions against two Equifax employees for allegedly trading on inside information make plain that insider trading will remain a priority. Public companies would be well advised to review their data security incident response plans and insider trading policies to ensure that they address trading halts between the time that a cybersecurity event is discovered and publicly disclosed. The SEC will undoubtedly be on the lookout for companies that don’t heed this advice.

Effectiveness of Data Security Policies. A theme in several enforcement actions is the effectiveness of a company’s data security policies. In all likelihood, the SEC will come at this issue in two different ways. First, it will review policies to ensure that they are aligned with an organization’s risk profile and risk environment in which it operates. Second, how do these policies filter down in an organization to ensure that they are followed and enforced? In large part, this depends on employee training and the priority an organization puts on its cybersecurity hygiene.

Internal Accounting Controls. The Commission’s investigatory report sent a clear message to public companies: revisit the effectiveness of internal accounting controls to guard against BCE and wire fraud. With the global cost of this crime running into the billions, the SEC is unlikely to let its detailed report gather dust. The report is the proverbial shot across the bow. Public companies are well advised to revisit, and if necessary, enhance their internal control process not just for wire transfers but any significant movement of funds.

]]>DFS’s Cybersecurity Regulation: What Your Company Should Have Done This Yearhttps://www.pbwt.com/data-security-law-blog/dfss-cybersecurity-regulation-what-your-company-should-have-done-this-year/
https://www.pbwt.com/data-security-law-blog/dfss-cybersecurity-regulation-what-your-company-should-have-done-this-year/#respondThu, 13 Dec 2018 00:00:00 +0000https://www.pbwt.com/?post_type=blog-post&p=30223With the year quickly coming to a close, it’s time for organizations covered by New York’s Cybersecurity Regulation for Financial Service Companies to take stock of their compliance efforts before popping any champagne corks to usher in the New Year.

As we’ve previously blogged about, businesses covered by the cyber regulation must submit an annual compliance certificate for the prior year, affirming that all applicable requirements have been met by their deadlines. And DFS takes that requirement seriously, warning companies that it “expects full compliance with this regulation,” and that a “Covered Entity may not submit a certification” unless “the Covered Entity is in compliance with all applicable requirements of Part 500 at the time of certification.” The next compliance certificate is due on February 15, 2019, but because it covers the prior calendar year, now is the time to look back at your 2018 compliance efforts.

The 2018 requirements were a heavy lift, even for large companies, with mandates ranging from annual penetration testing to encryption. And those requirements are loaded with nuance and often keyed-off the organization’s periodic risk assessment. That assessment in turn required companies “to respond to technological developments and evolving threats” and to “consider the particular risks of the Covered Entity’s business operations related to cybersecurity.”

With those caveats in mind, here’s a quick rundown of 2018’s requirements:

° Audit Trails – covered organizations must maintain systems designed to “reconstruct material financial transactions sufficient to support normal operations” and audit trails designed to “detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations” (500.06);

° Application Security – companies must create “written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications,” in addition to “procedures for evaluating, assessing or testing the security of externally developed applications” (500.08);

° Risk Assessment – an essential aspect of the regulation is the periodic risk assessments, which must “inform the design of” a company’s cybersecurity program. There are specific and detailed requirements that guide an organization’s performance of the risk assessment process (500.09);

° Multi-factor Authentication – effective controls, which “may include Multi-Factor Authentication or Risk-Based Authentication” must be employed “to protect against unauthorized access to nonpublic information or” an organization’s technology and IT environments (500.12);

° Data Retention – policies and procedures are required for the “secure disposal on a periodic basis” of nonpublic information “no longer necessary for business operations or for other legitimate business purposes” (Section 500.13);

° Encryption – controls are required, including encryption, to protect nonpublic information in transit or at rest. If encryption is deemed “infeasible,” an organization may use “effective alternative compensating controls reviewed and approved” by the Chief Information Security Officer (Section 500.15);

One more caveat to keep in mind: The foregoing is only a thumbnail sketch of the cyber regulation’s 2018 requirements. Companies should carefully review the language of the regulation itself and seek counsel when necessary to better understand compliance obligations.

Over the coming months, we’ll do a deeper dive on the 2019 requirements, including the detailed requirements for third-party service providers and which “senior officer(s)” might be eligible to certify an organization’s compliance.

Protecting children’s online privacy remains a point of focus for the New York Attorney General. That’s the upshot of the recent record-setting settlement with Oath Inc. – formerly AOL, Inc. – for violating the Children’s Online Privacy Protection Rule (COPPA).

The settlement with the New York Attorney General is the largest in the U.S. for a COPPA violation. And, it is also the Attorney General’s sixth COPPA-related settlement since 2016.

COPPA is a federal law enacted in 1998 to protect the safety and privacy of young children online. Under the law, operators of websites and other online services are prohibited from collecting, using, or disclosing the personal information of children under the age of 13, unless notice is provided together with express parental consent. Personal information includes not only names and physical addresses but also online identifiers, such as web browser cookie IDs and IP addresses.

According to the Attorney General, Oath ran afoul of COPPA in multiple respects – all involving the use and disclosure of children’s personal information. Oath operated an online ad exchange, which matched websites selling ad space with potential advertisers, that collected and disclosed personal information in violation of COPPA. Also in violation of COPPA, the AG charged, Oath used the personal information of website users to serve advertisements targeted at children across the web.

As part of its settlement, Oath agreed to pay a $4.95 million penalty and to establish and maintain a comprehensive COPPA compliance program. The program will require:

Designation of an executive or officer to oversee the program;

Annual COPPA training for relevant Oath personnel;

Identification of risks that could result in Oath’s violation of COPPA;

Design and implementation of reasonable controls to address identified risks;

Regular monitoring of the effectiveness of controls;

Development and use of reasonable steps to select and retain service providers that can comply with COPPA; and

Retention of an objective, third-party professional to assess the privacy controls that Oath has implemented.

Oath’s settlement is consistent with the Attorney General’s 2016 and 2017 COPPA-related settlements with Viacom, Inc., Mattel, Inc., JumpStart Games, Inc., Hasbro Inc. and True Ultimate Standards Everywhere, Inc. Like the Oath agreement, those settlements required the settling parties to implement reforms with respect to their policies and procedures, in addition to paying penalties.

This settlement should come as no surprise, nor should future enforcement actions directed at COPPA violations. As New York Attorney General Barbara Underwood warned, the Office of the Attorney General “remains committed to protecting children online and will continue to hold accountable those who violate the law.”